[cifs-protocol] 114121712176508 MS-KILE Behaviour for client principal name in service tickets

Andrew Bartlett abartlet at samba.org
Tue Jan 13 14:04:40 MST 2015

On Tue, 2015-01-13 at 20:39 +0000, Sreekanth Nadendla wrote:
> Hello Andrew,
>                          I have not heard from you regarding my e-mail
> below. Perhaps you are busy working on other issues. My attempts to
> reproduce the issue using the versions of kinit, klist from latest
> "kerberos for windows build"
> http://web.mit.edu/kerberos/dist/kfw/4.0/kfw-4.0.1-amd64.msi] always
> results in user name matching with what is in samAccountName if we
> ignore the case. 

Sorry, I've been busy at and preparing for linux.conf.au, which I'm at
this week.  You may need to run on linux, install ubuntu or debian, and
then install heimdal-clients (sudo apt-get install heimdal-clients).
That should help you reproduce what I'm doing. 

In the meantime, I'm also writing some specific smbtorture tests, which
will still need linux to run, but will fix the exact requests into a
testsuite that can be easily run and re-run.


> Also by design, one can actually create a user having non matching
> samAccountname, userPrincipalName  as I've indicated in my repro few
> weeks ago. See the picture below. In case you are unable to revisit
> this i.e. test this at your end and confirm which tools you are using,
> I will archive this issue for a while until you could work on it
> again. Please let me know.

Yes, I'm well aware these can be different.

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list